Recommended Aruba Training? Networking |
- Recommended Aruba Training?
- CISCO ISE Training and Labs
- EVPN-VxLAN arp suppression disable on border-leaf
- DR site design and technologies
- Strange NAT issue occuring on single vm, need some insights (TCPDUMP included)
- Advice needed: 2nd hand Dell S5148F-ON vs Arista DCS-7060CX-32S
- TCAM carving question for Cisco Nexus 9396PX
- Extending WiFi over 3 floors
- Layer 2 circuit behind firewall or outside the firewall?
- CISCO DataBroker training?
- OSPF RID duplicate from itself
- Dell OS10 VLT and spanning tree
- Palo Alto Log Filter
- [Packet Tracer] ASA 5506 NAT won't translate
- Router Behind a Router - Good/Bad?
- Cisco ISR Blocking ICMP Timestamp/Port 22
- HPE OfficeConnect 1950 opinion
- Help with 802.1q and Vlan ID 0
- SSL/TLS VPN vs IPSec GlobalProtect: Odd
- Webex BW Consumption
Posted: 15 Jan 2021 11:21 AM PST Any recommended resources for learning Aruba AOS 8 and building a new multi-site deployment from scratch? I'm a Cisco CCNP who took over management of a 40+ site/600 AP Aruba 6.5 deployment (still Cisco on the wired side). We're looking at replacing the aging 6.5 gear with a new AOS 8 deployment, but that looks like building a new configuration from scratch (every rep I've spoken to doesn't recommend the migration tool and this would be a chance to cleanup old config garbage). Any tips on YouTube playlists or other sites for learning AOS 8 (special focus on Mobility Master/child site configuration). I may also be able to pay for professional training (was looking at the ACMA or ACMP courses) too. For paid training, any recommended authorized trainers? [link] [comments] |
Posted: 15 Jan 2021 05:49 AM PST Hello! I'm on a quest for additional resources about CISCO ISE. I've gotten a little collection of ISE training and practice material. But I'd just like to know what everyone is using to practice, read up on and/or lab up CISCO ISE. GNS3 has resources which I've downloaded. Just wanna see if there's any hidden gems out there (books, labs, anything) that are musts that I have missed. Thanks! [link] [comments] |
EVPN-VxLAN arp suppression disable on border-leaf Posted: 15 Jan 2021 12:27 PM PST I have arp suppression enabled on all my Leaf switches but because of TCAM memory limitation i can't enabled ARP suppression on Border-Leaf switch (I don't have any server connection to border-leaf). Does it going to create any issue or misbehave in terms of traffic flow or silent host discover? [link] [comments] |
DR site design and technologies Posted: 15 Jan 2021 07:04 AM PST For 2021 we have been asked at configuring one of our other sites as a dr site, I haven't looked at doing this for many years and was wondering what you all do for DR/Busininess continuity. We are a fortigate/vmware/aruba switch shop no current load balancer technology deployed. In the past and many moons ago at a different company our DR was pretty simple but required manual intervention. ie. we kept a vmware instance replicated at site B and I simply changed the server vlan at site b to reflect the subnet from site A and added that network to be advertised out via our dyn routing protocol from site B. The desire is to see what the viability/cost is to implement an active/active failover scenario [link] [comments] |
Strange NAT issue occuring on single vm, need some insights (TCPDUMP included) Posted: 15 Jan 2021 03:34 PM PST Hi everyone! My server recently had a fit, and now one of my ubuntu VMs is acting strangely. I am unable to make a NAT'ed connection over a site-to-site VPN that worked just fine prior to this and I hope someone can shed a light on where the problem might be. Setup is as follows: 155.55.55.55 (fake) - Public IP of remote side on site-to-site LAN 10.20.0.1 - IP of router/default gateway on remote side of site-to-site VPN. 192.168.0.1 - IP of device setting up local bridging of site-to-site VPN. 10.20.0.203 - IP on site-to-site LAN Prior to my server having a fit, I had a working forward from 155.55.55.55:80 to 10.20.0.203:80. The forward would work as follows: Device (pfSense) with 155.55.55.55 on its WAN interface (10.20.0.1 on a LAN interface) is configured to forward port 80 to 10.20.0.203, which is an Ubuntu VM that resides in said LAN, but on the other side of the site-to-site VPN. The bridging to the remote side of the LAN is performed by a pfSense instance as well. The bridge works just as expected, and is described so you have an idea of the setup. The problem arises when I attempt to do a NAT from the remote public IP: 155.55.55.55 (80) -> 10.20.0.203 (80) When I attempt to connect to the public IP on port 80, the forward works just fine towards 10.20.0.203 (80). The problem is that the ubuntu VM doesn't ack the TCP connection, leading to timeouts. You can see an image showing this here: https://i.imgur.com/Ita4b60.png This is a tcpdump performed on the ubuntu VM that is the destination of the forward. It shows that a telnet connection attempt actually reaches the VM which has netcat listening on port 80 (the big blue bar is my public IP I am trying to access the forward from, you can see on the right it hits *.http, which is port 80.) None of the SYNs are acked, and I do not understand why. Here is another dump from a host on the remote side LAN (10.20.0.151) connecting with telnet successfully: https://i.imgur.com/p2Y0blq.png I have ruled out the port forward as an issue, as it works just fine with another exact duplicate freshly installed ubuntu VM. Does anyone have some experience and can guide me on how I should go about diagnosing this? [link] [comments] |
Advice needed: 2nd hand Dell S5148F-ON vs Arista DCS-7060CX-32S Posted: 15 Jan 2021 08:33 AM PST Moin We are small IT-consultancy and upgrading our backbone to 25G and possibility to go 100Gbe as soon as there would be nice deal. I aim at used market mostly to get best deal for the buck, but we want something that is at least getting regular firmware updates in near future. Easy access to firmware updates is important. Our nodes are all 25Gbe Mellanox Cards (Connect-X 4 and Connect-X 5). We will need to interconnect with some Mikrotiks, so need something that is not picky on the DAC brand. I got few sub-2k deals on ebay for 2nd hand 25G and 100G switches and after much comparison, the choice is now between Dell S5148F (48x 25Gbe + 6x100Gbe Cavium) and Arista DCS-7060CX-32S (32x100Gbe, Tomahawk), Arista being just a bit more expensive. On port budget, we are fitting into both, Arista will be even almost empty, and cabling Dell will likely cost us more (DAC per port for Dell vs for Arista we will need much fewer QFSP28 splitters) All in all I tend to favor Arista more, partly because it's cheaper cabling, partly because Cavium is killed, partly because I had bad experience with Dell switches in general (X- series). However with Arista, I feel it may be overkill. As for firmware both are open for me: for Dell the open question is getting OS10 updates, for Arista the problem is getting EOS updates. Both seem to require some sort of registration and proof of contract, that I want to avoid, a bit afraid to also buy non-updatable iron Anyone favors one over another? Is there better option to look at, even if it'll cost slightly more? Appreciate any other advices [link] [comments] |
TCAM carving question for Cisco Nexus 9396PX Posted: 15 Jan 2021 07:34 AM PST I have Cisco Nexus 9396PX and configure for IPv4 with IPv4 RACL on SVI to block some basic traffic. Now i have configured IPv6 and trying to configure access-list but its saying you don't have TCAM space so i started looking around to see where i can borrow and this is what i have. As per document i may need 512 slice for ipv6 doble-width. Question:
IPv6 has zero allocation This is what my utilization tables looks (its saying PACL used 3 does that means i can't take that slice?) [link] [comments] |
Posted: 15 Jan 2021 01:45 AM PST I've got WiFi in a fifth floor unit of a commercial building. We've recently took on a new unit on the second floor and are wondering if it would be possible to extend the WiFi from the fifth floor all the way down to the second. The unit on the second floor isn't too far away from the unit on the fifth in that it's just 1 unit beside, 3 floors down. Would a WiFi extender/repeater work? We do not have access to power points outside our unit. Thanks in advance! Edit: if I'm lucky, I am sometimes able to have 1 bar of wifi reception when I'm on the second floor unit Edit 2: both units are small (approx. 190 sqft) [link] [comments] |
Layer 2 circuit behind firewall or outside the firewall? Posted: 15 Jan 2021 07:12 AM PST I'm building a Layer 2 connection between two locations through a 3rd party service provider for some specific traffic. Current the traffic is serviced by a VPN but the VPN can't keep up with the amount of data that needs to be sent. I'm fairly confident that putting the layer 2 circuit outside the firewall will be fine but I want to make sure there is not some security issue doing so that I'm just not thinking about. [link] [comments] |
Posted: 15 Jan 2021 07:14 AM PST Is there and Data Broker training anywhere? Preferably free, but paid is ok. I can't find any training videos. I can see the configuration guides, but like most Cisco configuration guides it is very clinical and not conducive to some one with no knowledge of DBs. I will be implementing a new DB set up replacing a gigamon set up and clueless at this point. Any suggestions welcome. [link] [comments] |
OSPF RID duplicate from itself Posted: 14 Jan 2021 08:51 PM PST I recently had an issue where OSPF RID duplicate messages popped up on N9K switches. Both N9K switch is interconnected with L2 link and running HSRP. This log was captured from SW#1. SW#2 also had the same log entry with the address of 192.168.1.253. So it basically tells me that there was an OSPF RID conflict from itself. What can cause this issue? Bridging Loop perhaps? [link] [comments] |
Dell OS10 VLT and spanning tree Posted: 15 Jan 2021 03:06 PM PST I am hopeful someone much more knowledgeable can help me out late on a Friday. I have a cabinet setup with two S5248F-ON with a VLT domain. Everything is great. I am trying to connect a second cabinet with the same setup, different VLT domain id. I've connected the two cabinets via a port channel, switch a to switch a, switch b to switch b, the port channel is setup in both cabinets across each VLT. OS10 recommends RPVSTP+ for spanning tree. My question is what should my spanning tree priorities be? In the first cabinet I have switch a with priority 4096, switch b with priority 8192. Should I mirror the same in the second cabinet or will this cause spanning tree chaos? [link] [comments] |
Posted: 15 Jan 2021 08:52 AM PST Hi All, Anyone know if there is a way to filter on the name category under the threat logs for a keyword and not the full string? I can't figure out the proper syntax and I have to believe they'd include that so we don't have to sift through pages and pages of junk to find what we're looking for. For example, I want to see every threat alert that came in with keyword "macro" in the name field, but when I try to build a filter, there is no contains, only equal or not equal. [link] [comments] |
[Packet Tracer] ASA 5506 NAT won't translate Posted: 15 Jan 2021 09:49 AM PST Whenever I send ICMP packet from a device with an IP address of 192.168.5.2 through The ASA 5506. It won't translate the packet's address to the outside interface's address. But, if I send a ICMP packet from the router itself. It will therefore translate it into intended address. Why doesn't it translate the packet from the other device? Worth mentioning: I also connected a PC directly to the ASA. Which it sends a ARP message at first to the ASA, and once it is done. It then sends the ICMP packet, and translates successfully.Does the ARP message to the ASA somehow updates its table, and makes it possible to translate? Please take a look at the imgur images to get an understanding how the network looks like: Help would have been appreciated! ASA Configuration: [link] [comments] |
Router Behind a Router - Good/Bad? Posted: 15 Jan 2021 12:09 PM PST Hi guys. We have 2 Check Point firewalls with redundant ISP links in one of our offices and we are trying to find ways of routing traffic to local websites over a specific ISP link, rather than routing it via the default route. Policy-based routing is not possible due to incompatibilities with features that we have enabled on the firewalls. My colleague has suggested adding a new router between the firewall and one of the existing ISP routers and forwarding traffic this way: [All traffic] FW > New Router > Existing ISP router > internet [Local traffic] FW > New Router > Other ISP router > internet So, essentially, all traffic will be ultimately routed by the new router and not the firewall. To my knowledge this isn't a good idea due to double NAT in particular and it seems a bit much to do this to route traffic for a few websites. Am I right or wrong? It's not something I've done before so I am keen on hearing what more experienced people have to say! [link] [comments] |
Cisco ISR Blocking ICMP Timestamp/Port 22 Posted: 15 Jan 2021 09:30 AM PST Looking for some feedback to make sure what I am doing will accomplish what I need it to without causing undesirable behavior. Admittedly I've lost a lot of my network/cisco skills over the years as my job roles took me more into sys admin than networking; Hoping to just get a "sanity check" before I do anything. Long story short, our vulnerability scanner tagged our new router for listening on port 22 (even though SSH is disabled) and responding to ICMP timestamp requests. To fix this, I've come up with the below ACL I intend to apply to the interface where these are being detected. Does this make sense? Am I missing something obvious here? The plan is to first issue a reload in 30 before making any changes just in case it causes issues. Only after a successful implementation would I commit the changes to the startup config. Ideally, I won't have to rely on the reload but being risk-averse I tend to have some CYA. If there's a better way to do what I need to do, I am all ears. For context, the router is an ISR4451 running Cisco IOS XE 16.06.04. [link] [comments] |
HPE OfficeConnect 1950 opinion Posted: 14 Jan 2021 09:04 PM PST Greetings r/networking, have not been posting much but doing alot reading and require input. I've been tasked to revamp the office network which comprises of: Due to 802.1x requirements and age, we've decided to replace the whole stack. Core would be 2x 2930M stacked w/10G uplinks to each floor with HPE-1950-24G for edge access. We've decided to go with the office connect 1950 as they're stackable for ease of management. Switch would only be configured to run in L2. Could anyone advise if the reported 802.1x issue with the switches are resolved - based on the R3208P16 firmware release? I haven't done any 802.1x deployments - but our required goal is for wired LAN is to deny any non-company owned/non-domain joined laptops to connect to the wired network. Authentication I understand would need to be by domain authentication via a NPS server. My vendor claims that this setup doesn't work is this true? Any input is welcome. [link] [comments] |
Help with 802.1q and Vlan ID 0 Posted: 14 Jan 2021 06:30 PM PST So I have a device that transmits untagged and tagged frames. It's using 802.1q to add 802.1p PCP for class of service stuff on some of those frames. However it's using the Vlan ID of 0 when doing this. The end goal is to propagate all traffic(tagged and untagged) from all the devices on the switch through a set of ethernet radios to another switch. I'd like to retain the 802.1q header till it reaches the far switch. Topo is like Device---ExtremeSwitchA--EthernetRadioA---EthernetRadioB---SwitchB(possible Aruba or Extreme). In most of the trunking configs I have to explicitly state what VLAN ID I'm permitting across the trunk. ID 0 is not an option. However I've read that when switches receive a vlan ID of 0 in a 802.1q header they retag the header with the native VLAN ID i.e. which is the VLAN the trunk port is in. I'm hoping to set up all the Vlans to an ID of 1 (for testing) enable trunking between the device the switches and the ethernet radios and see what happens. I can set up a hybrid trunk port that takes tagged and untagged packets Has anyone had experience with trunking with VLAN ID of 0 [link] [comments] |
SSL/TLS VPN vs IPSec GlobalProtect: Odd Posted: 14 Jan 2021 05:07 PM PST So my internet headend has the remote workers using GlobalProtect, and for some reason when I set it up years ago I never ticked the IPSec box for the tunnel. Today I'm setting up another internet headend, and when I configured GlobalProtect I did tick the IPSec box. I immediately noticed my connection was not laggy anymore. using Google maps as a benchmark when RDPd into a computer the SSL was laggy as hell, but on IPSec it was almost smooth. Iperf shows the same speed, about 20mb for both connections, on UDP the jitter is less by a bit on IPSec. So why am I seeing a huge rdp performance increase when using IPSec? [link] [comments] |
Posted: 14 Jan 2021 04:59 PM PST Does the avarage BW used by the participant in a meeting is specified by Cisco? i would like to know the minimal and maximum BW consumption for the below cases: 1-Users are Using just voice in the room. 2-The presenter is sharing his desktop screen. [link] [comments] |
You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion.. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
No comments:
Post a Comment